Privacy Laws

In March 2014, the Commonwealth Government replaced the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs). As an Amway Independent Business Owner (IBO), it is important that you are up to date on the current Australian privacy laws.

WHAT ARE THE AUSTRALIAN PRIVACY PRINCIPLES?

There are thirteen APPs found in Schedule 1 of the Privacy Act 1988 (Cth) (‘the Act’). The APPs apply to most Australian Government agencies and all private organisations. These principles cover, but are not strictly limited to, rules that regulate;

How personal information is collected;

How this information is managed and used;

Ensuring that the personal information remains secure;

If requested, ensuring that the personal information remains anonymous;

The rights for individuals to access their personal information; and

Using personal information for the purposes of direct marketing.

WHAT IS PERSONAL INFORMATION?

‘Personal Information’ can be classified as any information or opinion that identifies, or reasonably identifies, an individual. This includes, but is not limited to, a name, address, date of birth, telephone number, medical insurance and bank details, and opinions.

‘Sensitive information’ is a branch of personal information that carries stricter guidelines. This is classified as information or an opinion that includes, but is not limited to, an individual’s racial background, religious beliefs, ethnicity, political opinions, health information, sexual preferences and criminal records.

WHAT CAN OR CAN’T I DO WITH THE PERSONAL INFORMATION I HAVE ACQUIRED?

There are a number of important requirements imposed by the APPs, including, but not limited to, that an organisation:

may only collect Personal Information if it is necessary for one or more of its primary or secondary functions;

may not use or disclose Personal Information for a purpose other than that for which it was collected, unless the person concerned consents to such use. 'Consent' may, in certain instances, be implied. For example, failing to 'opt out' with respect to the question of receiving direct marketing materials may be regarded as 'implied consent' to receive direct marketing materials;

must set out its policies on its management of Personal Information and make it available to anyone who asks. An organisation’s privacy policy must be clearly expressed, up-to-date and accessible by all;

must take reasonable steps to make individuals aware that it is collecting information about them, the purposes for the collection and to whom the information may be disclosed;

take steps to ensure that individuals have a simple way of opting out of any direct marketing communications;

ensure that any overseas organisations receiving Personal Information also comply with the APPs; and

must take reasonable steps to ensure that the Personal Information they collect, use or disclose is accurate, complete and up to date. If Personal Information is no longer needed, it must be destroyed;

must (except in some specified circumstances) give an individual access to Personal Information it holds about that person on request.

IS MY AMWAY INDEPENDENT BUSINESS SUBJECT TO THE AUSTRALIAN PRIVACY PRINCIPLES?

Generally speaking, yes. Even though a small business with an annual turnover of less than $3 million is usually exempt, the Amway of Australia is subject to the APPs. Australian law states that a small business is consequently subject to the APPs if it relates to another business that is subject to the Act. In other words, because Amway handles information that is subject to the APPs, your business is indirectly subject to the same principles.

In addition, your business is subject to the APPs if it directly trades personal information. If you collect and/or disclose an individual’s personal information, without their consent, for a benefit, service or advantage then you are subject to the APPs. Under Australian law, a benefit, service or advantage can include any sort of financial payment or concession.

If your business does fall under the jurisdiction of the APPs, you must follow the legal requirements on how the personal information is handled. This does not mean that you cannot collect personal information for your business needs.

CAN I USE CERTAIN PERSONAL INFORMATION TO BUILD A RELATIONSHIP WITH A POTENTIAL PROSPECT OR CLIENT?

(An example given by The Office of the Australian Information Commission is collecting the information provided about their interests)

Yes, but there are restrictions. Under Principle 3 and 6 of the APPs, you must ensure that you are upfront with how you collect your prospect’s information. You cannot trick them into giving you any personal information. If you choose to use that information for another purpose, you must seek the prospect’s permission first.

If the information being collected falls under the definition of Sensitive Information, you must inform the prospect of your intention of collecting the information and seek their consent before using it to build a relationship. At all times, you must ensure an individual consents to your use of their information.

THE AUSTRALIAN PRIVACY PRINCIPLES AND DIRECT MARKETING.

Principle 7 discusses personal information and direct marketing. Under this principle, the blanket rule is that any personal or sensitive information collected for a primary purpose cannot then be used for direct marketing purposes.

However, there are some exceptions. An organisation may use personal information if they have collected the information directly from the individual, the individual reasonably expects (or directly consents if it is not reasonable for such an expectation) that their information may be used for direct marketing purposes, and the recipient can easily opt out of the direct marketing communications at any time and has not opted out.

If the organisation has obtained the information from a third party, they must disclose the source of their information if requested by the individual.

Please see our ‘Telemarketing and Do Not Call Register’ guide for more information.

WHAT PENALTIES APPLY FOR SERIOUS BREACHES AND MISUSE OF PERSONAL INFORMATION?

For individuals, the Australian Privacy Commissioner can seek penalties up to $340,000. For a company, penalties can be up to $1.7 million.

WHAT CAN I DO IF SOMEONE HAS MISUSED MY PERSONAL INFORMATION?

If the small business in breach is covered under the Privacy Act, a complaint can be made to the Office of the Australian Information Commissioner (OAIC).

*DISCLAIMER: The information contained in this article is not comprehensive and is only a summary of the important provisions concerning privacy. More detailed information can be found at the Office of the Australian Information Commissioner’s website located at https://www.oaic.gov.au/privacy-law/. Alternatively, please consult your legal practitioner or the Amway Legal Department regarding the privacy requirements for your Independent Business.